RS-2176 L7 docs edits (#1769)

Co-authored-by: Christopher Tauchen <[email protected]>
tigera · Nov 22, 2024 · 154714e · 154714e
1 parent 583e5ff
commit 154714e
Show file tree

Hide file tree

Showing 10 changed files with 158 additions and 55 deletions.
diff --git a/calico-cloud/visibility/elastic/l7/configure.mdx b/calico-cloud/visibility/elastic/l7/configure.mdx
@@ -68,27 +68,36 @@ In this step, you will configure L7 logs, select logs for collection, and test t
 
 **Configure the ApplicationLayer resource for L7 logs**
 
-1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#operator.tigera.io/v1.ApplicationLayer) resource named, `tigera-secure` to include a logCollection section of the file, `_api.html` [here](../../../reference/installation/api.mdx).
-
-1. Ensure that the `collectLogs` field is set to `Enabled`.
+1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#operator.tigera.io/v1.ApplicationLayer) resource named, `tigera-secure`.
 
    Example:
 
-   ```yaml
+   ```bash
+   kubectl apply -f - <<EOF
    apiVersion: operator.tigera.io/v1
    kind: ApplicationLayer
    metadata:
      name: tigera-secure
    spec:
+     # log collection is implemented via sidecar
+     sidecarInjection: true
+     # the following configures the log collection and aggregation behaviour
      logCollection:
        collectLogs: Enabled
        logIntervalSeconds: 5
        logRequestsPerInterval: -1
+   EOF
    ```
 
-1. Apply the resource. This creates `l7-log-collector` daemonset in `calico-system` namespace.
+   Read more about the log collection specification [here](../../../reference/installation/api.mdx#operator.tigera.io/v1.LogCollector).
+
+   Applying this resource creates an `l7-log-collector` daemonset in `calico-system` namespace.
+
+1. Wait for the Log collection daemonset to progress to ready.
 
-1. Ensure that the daemonset progresses and `l7-collector` and `envoy-proxy` containers inside the daemonset are in a `Running` state.
+   ```bash
+   kubectl rollout status -n calico-system ds/l7-log-collector
+   ```
 
 **Select traffic for L7 log collection**
 

diff --git a/calico-cloud_versioned_docs/version-20-1/visibility/elastic/l7/configure.mdx b/calico-cloud_versioned_docs/version-20-1/visibility/elastic/l7/configure.mdx
@@ -68,27 +68,36 @@ In this step, you will configure L7 logs, select logs for collection, and test t
 
 **Configure the ApplicationLayer resource for L7 logs**
 
-1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#operator.tigera.io/v1.ApplicationLayer) resource named, `tigera-secure` to include a logCollection section of the file, `_api.html` [here](../../../reference/installation/api.mdx).
-
-1. Ensure that the `collectLogs` field is set to `Enabled`.
+1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#operator.tigera.io/v1.ApplicationLayer) resource named `tigera-secure`.
 
    Example:
 
-   ```yaml
+   ```bash
+   kubectl apply -f - <<EOF
    apiVersion: operator.tigera.io/v1
    kind: ApplicationLayer
    metadata:
      name: tigera-secure
    spec:
+     # log collection is implemented via sidecar
+     sidecarInjection: true
+     # the following configures the log collection and aggregation behaviour
      logCollection:
        collectLogs: Enabled
        logIntervalSeconds: 5
        logRequestsPerInterval: -1
+   EOF
    ```
 
-1. Apply the resource. This creates `l7-log-collector` daemonset in `calico-system` namespace.
+   Read more about the log collection specification [here](../../../reference/installation/api.mdx#operator.tigera.io/v1.LogCollector).
+
+   Applying this resource creates an `l7-log-collector` daemonset in `calico-system` namespace.
+
+1. Wait for the Log collection daemonset to progress to ready
 
-1. Ensure that the daemonset progresses and `l7-collector` and `envoy-proxy` containers inside the daemonset are in a `Running` state.
+   ```bash
+   kubectl rollout status -n calico-system ds/l7-log-collector
+   ```
 
 **Select traffic for L7 log collection**
 

diff --git a/calico-enterprise/network-policy/application-layer-policies/alp.mdx b/calico-enterprise/network-policy/application-layer-policies/alp.mdx
@@ -28,15 +28,17 @@ Active connections may be disrupted.
 
 ### Enable application layer policy (ALP)
 
-In the ApplicationLayer custom resource, set the `sidecarInjection` field to `Enabled`:
+Create an (or edit an existing ApplicationLayer) resource with the `sidecarInjection` field to `Enabled`:
 
 ```yaml
+kubectl apply -f - <<EOF
 apiVersion: operator.tigera.io/v1
 kind: ApplicationLayer
 metadata:
   name: tigera-secure
 spec:
   sidecarInjection: Enabled
+EOF
 ```
 
 Patch your deployments by running the following command:

diff --git a/calico-enterprise/threat/web-application-firewall.mdx b/calico-enterprise/threat/web-application-firewall.mdx
@@ -75,15 +75,17 @@ kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"policySync
 
 #### Enable WAF using kubectl
 
-In the ApplicationLayer custom resource, named `tigera-secure`, set the `sidecarInjection` field to `Enabled`.
+Create an (or edit an existing) ApplicationLayer resource named `tigera-secure`, set the `sidecarInjection` field to `Enabled`.
 
 ```bash
+kubectl apply -f - <<EOF
 apiVersion: operator.tigera.io/v1
 kind: ApplicationLayer
 metadata:
   name: tigera-secure
 spec:
   sidecarInjection: Enabled
+EOF
 ```
 
 Or, in Manager UI, click **Threat Defense > Web Application Firewall > Configure Web Application Firewall**.

diff --git a/calico-enterprise/visibility/elastic/l7/configure.mdx b/calico-enterprise/visibility/elastic/l7/configure.mdx
@@ -69,38 +69,72 @@ In this step, you will configure L7 logs, select logs for collection, and test t
 
 ### Configure the ApplicationLayer resource for L7 logs
 
-1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#operator.tigera.io/v1.ApplicationLayer) resource named, `tigera-secure` to include a logCollection section of the file, `_api.html` [here](../../../reference/installation/api.mdx).
+1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#operator.tigera.io/v1.ApplicationLayer) resource named, `tigera-secure`.
 
-1. Ensure that the `sidecarInjection` field is set to `Enabled`.
+   Example:
 
-   ```yaml
+   ```bash
+   kubectl apply -f - <<EOF
    apiVersion: operator.tigera.io/v1
    kind: ApplicationLayer
    metadata:
      name: tigera-secure
    spec:
+     # log collection is implemented via sidecar
+     sidecarInjection: true
+     # the following configures the log collection and aggregation behaviour
      logCollection:
+       collectLogs: Enabled
        logIntervalSeconds: 5
        logRequestsPerInterval: -1
-     sidecarInjection: Enabled
+   EOF
+   ```
+
+   Read more about the log collection specification [here](../../../reference/installation/api.mdx#operator.tigera.io/v1.LogCollector).
+   
+   Applying this resource creates an `l7-log-collector` daemonset in `calico-system` namespace.
+
+1. Wait for the Log collection daemonset to progress to ready
+
+   ```bash
+   kubectl rollout status -n calico-system ds/l7-log-collector
+   ```
+
+### Quick start: enable log collection on an example app
+
+1. Install Google Microservices Demo
+
+   ```bash
+   kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/refs/heads/main/release/kubernetes-manifests.yaml
    ```
 
-1. Apply the resource. This creates `l7-log-collector` daemonset in `calico-system` namespace.
+   without the `-n <namespace>` flag, it is going to be installed in the `default` namespace. if you wish to install in a different namespace, specify the `-n <namespace>` flag on all other commands in this tutorial from this point on.
+
+1. Patch the `frontend` application deployment to start collecting L7 logs for this application
 
-1. Ensure that the daemonset progresses and is fully deployed.
+   ```bash
+   kubectl patch deployment frontend -p '{"spec":{"template":{"metadata":{"labels":{"applicationlayer.projectcalico.org/sidecar":"true"},"annotations":{"applicationlayer.projectcalico.org/logging":"Enabled"}}}}}'
+   ```
 
-### Select traffic for L7 log collection
+   The above command applies the following patch:
+   1. ensures pods in your `frontend` deployment pod template spec has the label `applicationlayer.projectcalico.org/sidecar: true`
+   1. ensures pods in your `frontend` deployment pod template spec has the following annotations:
+     - `applicationlayer.projectcalico.org/logging: Enabled`
 
-1. Patch your application deployments you wish to collect L7 logs as shown.
+   Deployment pods will then be expected to restart. Monitor its progress with:
 
    ```bash
-   kubectl patch deployment <deployment-name> -n <deployment-namespace> -p '{"spec":{"template":{"metadata":{"labels":{"applicationlayer.projectcalico.org/sidecar":"true"},"annotations":{"applicationlayer.projectcalico.org/logging":"Enabled"}}}}}'
+   kubectl rollout status deployment frontend
    ```
 
-2. To disable L7 log collection, remove the label and annotation.
+   [Google Microservices Demo](https://github.com/GoogleCloudPlatform/microservices-demo) includes a load generator. L7 logs should now start displaying log entries that can be viewed via [various UIs](#view-l7-logs-in-manager-ui)
+
+   Alternatively, it is possible to test your configuration [manually](#test-your-configuration).
+
+1. To disable L7 log collection, reverse the above patch with the following command.
 
    ```bash
-   kubectl patch deployment <deployment-name> -n <deployment-namespace> --type='json' -p '[{"op":"remove","path":"/spec/template/metadata/labels/applicationlayer.projectcalico.org~1sidecar"},{"op":"remove","path":"/spec/template/metadata/annotations/applicationlayer.projectcalico.org~1logging"}]'
+   kubectl patch deployment frontend --type='json' -p '[{"op":"remove","path":"/spec/template/metadata/labels/applicationlayer.projectcalico.org~1sidecar"},{"op":"remove","path":"/spec/template/metadata/annotations/applicationlayer.projectcalico.org~1logging"}]'
    ```
 
 ### Test your configuration

diff --git a/calico-enterprise_versioned_docs/version-3.17/visibility/elastic/l7/configure.mdx b/calico-enterprise_versioned_docs/version-3.17/visibility/elastic/l7/configure.mdx
@@ -71,27 +71,36 @@ In this step, you will configure L7 logs, select logs for collection, and test t
 
 **Configure the ApplicationLayer resource for L7 logs**
 
-1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#operator.tigera.io/v1.ApplicationLayer) resource named, `tigera-secure` to include a logCollection section of the file, `_api.html` [here](../../../reference/installation/api.mdx).
-
-1. Ensure that the `collectLogs` field is set to `Enabled`.
+1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#operator.tigera.io/v1.ApplicationLayer) resource named, `tigera-secure`.
 
    Example:
 
-   ```yaml
+   ```bash
+   kubectl apply -f - <<EOF
    apiVersion: operator.tigera.io/v1
    kind: ApplicationLayer
    metadata:
      name: tigera-secure
    spec:
+     # log collection is implemented via sidecar
+     sidecarInjection: true
+     # the following configures the log collection and aggregation behaviour
      logCollection:
        collectLogs: Enabled
        logIntervalSeconds: 5
        logRequestsPerInterval: -1
+   EOF
    ```
 
-1. Apply the resource. This creates `l7-log-collector` daemonset in `calico-system` namespace.
+   Read more about the log collection specification [here](../../../reference/installation/api.mdx#operator.tigera.io/v1.LogCollector).
+   
+   Applying this resource creates an `l7-log-collector` daemonset in `calico-system` namespace.
+
+1. Wait for the Log collection daemonset to progress to ready
 
-1. Ensure that the daemonset progresses and `l7-collector` and `envoy-proxy` containers inside the daemonset are in a `Running` state.
+   ```bash
+   kubectl rollout status -n calico-system ds/l7-log-collector
+   ```
 
 **Select traffic for L7 log collection**
 

diff --git a/...co-enterprise_versioned_docs/version-3.18-2/visibility/elastic/l7/configure.mdx b/...co-enterprise_versioned_docs/version-3.18-2/visibility/elastic/l7/configure.mdx
@@ -71,27 +71,36 @@ In this step, you will configure L7 logs, select logs for collection, and test t
 
 **Configure the ApplicationLayer resource for L7 logs**
 
-1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#operator.tigera.io/v1.ApplicationLayer) resource named, `tigera-secure` to include a logCollection section of the file, `_api.html` [here](../../../reference/installation/api.mdx).
-
-1. Ensure that the `collectLogs` field is set to `Enabled`.
+1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#operator.tigera.io/v1.ApplicationLayer) resource named, `tigera-secure`.
 
    Example:
 
-   ```yaml
+   ```bash
+   kubectl apply -f - <<EOF
    apiVersion: operator.tigera.io/v1
    kind: ApplicationLayer
    metadata:
      name: tigera-secure
    spec:
+     # log collection is implemented via sidecar
+     sidecarInjection: true
+     # the following configures the log collection and aggregation behaviour
      logCollection:
        collectLogs: Enabled
        logIntervalSeconds: 5
        logRequestsPerInterval: -1
+   EOF
    ```
 
-1. Apply the resource. This creates `l7-log-collector` daemonset in `calico-system` namespace.
+   Read more about the log collection specification [here](../../../reference/installation/api.mdx#operator.tigera.io/v1.LogCollector).
+   
+   Applying this resource creates an `l7-log-collector` daemonset in `calico-system` namespace.
+
+1. Wait for the Log collection daemonset to progress to ready
 
-1. Ensure that the daemonset progresses and `l7-collector` and `envoy-proxy` containers inside the daemonset are in a `Running` state.
+   ```bash
+   kubectl rollout status -n calico-system ds/l7-log-collector
+   ```
 
 **Select traffic for L7 log collection**
 

diff --git a/...co-enterprise_versioned_docs/version-3.19-2/visibility/elastic/l7/configure.mdx b/...co-enterprise_versioned_docs/version-3.19-2/visibility/elastic/l7/configure.mdx
@@ -71,27 +71,36 @@ In this step, you will configure L7 logs, select logs for collection, and test t
 
 **Configure the ApplicationLayer resource for L7 logs**
 
-1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#operator.tigera.io/v1.ApplicationLayer) resource named, `tigera-secure` to include a logCollection section of the file, `_api.html` [here](../../../reference/installation/api.mdx).
-
-1. Ensure that the `collectLogs` field is set to `Enabled`.
+1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#operator.tigera.io/v1.ApplicationLayer) resource named, `tigera-secure`.
 
    Example:
 
-   ```yaml
+   ```bash
+   kubectl apply -f - <<EOF
    apiVersion: operator.tigera.io/v1
    kind: ApplicationLayer
    metadata:
      name: tigera-secure
    spec:
+     # log collection is implemented via sidecar
+     sidecarInjection: true
+     # the following configures the log collection and aggregation behaviour
      logCollection:
        collectLogs: Enabled
        logIntervalSeconds: 5
        logRequestsPerInterval: -1
+   EOF
    ```
 
-1. Apply the resource. This creates `l7-log-collector` daemonset in `calico-system` namespace.
+   Read more about the log collection specification [here](../../../reference/installation/api.mdx#operator.tigera.io/v1.LogCollector).
+   
+   Applying this resource creates an `l7-log-collector` daemonset in `calico-system` namespace.
+
+1. Wait for the Log collection daemonset to progress to ready
 
-1. Ensure that the daemonset progresses and `l7-collector` and `envoy-proxy` containers inside the daemonset are in a `Running` state.
+   ```bash
+   kubectl rollout status -n calico-system ds/l7-log-collector
+   ```
 
 **Select traffic for L7 log collection**
 

diff --git a/...co-enterprise_versioned_docs/version-3.20-1/visibility/elastic/l7/configure.mdx b/...co-enterprise_versioned_docs/version-3.20-1/visibility/elastic/l7/configure.mdx
@@ -71,27 +71,36 @@ In this step, you will configure L7 logs, select logs for collection, and test t
 
 **Configure the ApplicationLayer resource for L7 logs**
 
-1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#operator.tigera.io/v1.ApplicationLayer) resource named, `tigera-secure` to include a logCollection section of the file, `_api.html` [here](../../../reference/installation/api.mdx).
-
-1. Ensure that the `collectLogs` field is set to `Enabled`.
+1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#operator.tigera.io/v1.ApplicationLayer) resource named, `tigera-secure`.
 
    Example:
 
-   ```yaml
+   ```bash
+   kubectl apply -f - <<EOF
    apiVersion: operator.tigera.io/v1
    kind: ApplicationLayer
    metadata:
      name: tigera-secure
    spec:
+     # log collection is implemented via sidecar
+     sidecarInjection: true
+     # the following configures the log collection and aggregation behavior
      logCollection:
        collectLogs: Enabled
        logIntervalSeconds: 5
        logRequestsPerInterval: -1
+   EOF
    ```
 
-1. Apply the resource. This creates `l7-log-collector` daemonset in `calico-system` namespace.
+   Read more about the log collection specification [here](../../../reference/installation/api.mdx#operator.tigera.io/v1.LogCollector).
+   
+   Applying this resource creates an `l7-log-collector` daemonset in the `calico-system` namespace.
+
+1. Wait for the Log collection daemonset to progress to ready
 
-1. Ensure that the daemonset progresses and `l7-collector` and `envoy-proxy` containers inside the daemonset are in a `Running` state.
+   ```bash
+   kubectl rollout status -n calico-system ds/l7-log-collector
+   ```
 
 **Select traffic for L7 log collection**